From d4009cb34cc408eccb2a3d7f7d4ca63a1e187802 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebasti=C3=A1n=20Estrella?= <2049686+sestrella@users.noreply.github.com> Date: Tue, 14 Feb 2023 14:47:52 -0500 Subject: [PATCH] [#98] Add a flag to redirect HTTP traffic to HTTPS (#218) * Add flag to redirect HTTP to HTTPS * Rename variables and add support for shared load balancers * Modify existing examples * Update variables description * Fix redirect host default value * Replace custom status code with a flag * Fix format * Fix bad reference to aws_elastic_beanstalk_environment * Refactor datasources * Change status_code variable type * Fix load_balancer_arn reference * Fix load_balancer_arn * Add loadbalancer_redirect_http_to_https to complete example * Add missing period at the end of the validation error message * Update README.md and docs/terraform.md * Bump required_version * Update docs/terraform.md * Update README file * Change AWS provider constraint * Change AWS version constraint inside the README.md file --- README.md | 10 +++++++- docs/terraform.md | 10 +++++++- examples/complete/main.tf | 7 +++--- examples/complete/versions.tf | 2 +- examples/nlb/versions.tf | 2 +- examples/shared-alb/versions.tf | 2 +- main.tf | 28 ++++++++++++++++++++++ variables.tf | 41 +++++++++++++++++++++++++++++++++ versions.tf | 2 +- 9 files changed, 95 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index aa1b17da..eef52276 100644 --- a/README.md +++ b/README.md @@ -248,7 +248,7 @@ Available targets: | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.14.0 | +| [terraform](#requirement\_terraform) | >= 0.15.0 | | [aws](#requirement\_aws) | >= 3.0 | ## Providers @@ -282,6 +282,7 @@ Available targets: | [aws_iam_role_policy_attachment.ssm_ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.web_tier](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.worker_tier](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_lb_listener_rule.redirect_http_to_https](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_rule) | resource | | [aws_s3_bucket.elb_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | | [aws_ssm_activation.ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_activation) | resource | | [aws_elb_service_account.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/elb_service_account) | data source | @@ -290,6 +291,7 @@ Available targets: | [aws_iam_policy_document.elb_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.extended](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_lb_listener.http](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/lb_listener) | data source | | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | ## Inputs @@ -365,6 +367,12 @@ Available targets: | [loadbalancer\_crosszone](#input\_loadbalancer\_crosszone) | Configure the classic load balancer to route traffic evenly across all instances in all Availability Zones rather than only within each zone. | `bool` | `true` | no | | [loadbalancer\_is\_shared](#input\_loadbalancer\_is\_shared) | Flag to create a shared application loadbalancer. Only when loadbalancer\_type = "application" https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environments-cfg-alb-shared.html | `bool` | `false` | no | | [loadbalancer\_managed\_security\_group](#input\_loadbalancer\_managed\_security\_group) | Load balancer managed security group | `string` | `""` | no | +| [loadbalancer\_redirect\_http\_to\_https](#input\_loadbalancer\_redirect\_http\_to\_https) | Redirect HTTP traffic to HTTPS listener | `bool` | `false` | no | +| [loadbalancer\_redirect\_http\_to\_https\_host](#input\_loadbalancer\_redirect\_http\_to\_https\_host) | Defines the host for the HTTP to HTTPS redirection rule | `string` | `"#{host}"` | no | +| [loadbalancer\_redirect\_http\_to\_https\_path\_pattern](#input\_loadbalancer\_redirect\_http\_to\_https\_path\_pattern) | Defines the path pattern for the HTTP to HTTPS redirection rule | `list(string)` |
[| no | +| [loadbalancer\_redirect\_http\_to\_https\_port](#input\_loadbalancer\_redirect\_http\_to\_https\_port) | Defines the port for the HTTP to HTTPS redirection rule | `string` | `"443"` | no | +| [loadbalancer\_redirect\_http\_to\_https\_priority](#input\_loadbalancer\_redirect\_http\_to\_https\_priority) | Defines the priority for the HTTP to HTTPS redirection rule | `number` | `1` | no | +| [loadbalancer\_redirect\_http\_to\_https\_status\_code](#input\_loadbalancer\_redirect\_http\_to\_https\_status\_code) | The redirect status code | `string` | `"HTTP_301"` | no | | [loadbalancer\_security\_groups](#input\_loadbalancer\_security\_groups) | Load balancer security groups | `list(string)` | `[]` | no | | [loadbalancer\_ssl\_policy](#input\_loadbalancer\_ssl\_policy) | Specify a security policy to apply to the listener. This option is only applicable to environments with an application load balancer | `string` | `""` | no | | [loadbalancer\_subnets](#input\_loadbalancer\_subnets) | List of subnets to place Elastic Load Balancer | `list(string)` | `[]` | no | diff --git a/docs/terraform.md b/docs/terraform.md index 5901fe03..7a8a71a8 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.14.0 | +| [terraform](#requirement\_terraform) | >= 0.15.0 | | [aws](#requirement\_aws) | >= 3.0 | ## Providers @@ -37,6 +37,7 @@ | [aws_iam_role_policy_attachment.ssm_ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.web_tier](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.worker_tier](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_lb_listener_rule.redirect_http_to_https](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_rule) | resource | | [aws_s3_bucket.elb_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | | [aws_ssm_activation.ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_activation) | resource | | [aws_elb_service_account.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/elb_service_account) | data source | @@ -45,6 +46,7 @@ | [aws_iam_policy_document.elb_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.extended](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_lb_listener.http](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/lb_listener) | data source | | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | ## Inputs @@ -120,6 +122,12 @@ | [loadbalancer\_crosszone](#input\_loadbalancer\_crosszone) | Configure the classic load balancer to route traffic evenly across all instances in all Availability Zones rather than only within each zone. | `bool` | `true` | no | | [loadbalancer\_is\_shared](#input\_loadbalancer\_is\_shared) | Flag to create a shared application loadbalancer. Only when loadbalancer\_type = "application" https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environments-cfg-alb-shared.html | `bool` | `false` | no | | [loadbalancer\_managed\_security\_group](#input\_loadbalancer\_managed\_security\_group) | Load balancer managed security group | `string` | `""` | no | +| [loadbalancer\_redirect\_http\_to\_https](#input\_loadbalancer\_redirect\_http\_to\_https) | Redirect HTTP traffic to HTTPS listener | `bool` | `false` | no | +| [loadbalancer\_redirect\_http\_to\_https\_host](#input\_loadbalancer\_redirect\_http\_to\_https\_host) | Defines the host for the HTTP to HTTPS redirection rule | `string` | `"#{host}"` | no | +| [loadbalancer\_redirect\_http\_to\_https\_path\_pattern](#input\_loadbalancer\_redirect\_http\_to\_https\_path\_pattern) | Defines the path pattern for the HTTP to HTTPS redirection rule | `list(string)` |
"*"
]
[| no | +| [loadbalancer\_redirect\_http\_to\_https\_port](#input\_loadbalancer\_redirect\_http\_to\_https\_port) | Defines the port for the HTTP to HTTPS redirection rule | `string` | `"443"` | no | +| [loadbalancer\_redirect\_http\_to\_https\_priority](#input\_loadbalancer\_redirect\_http\_to\_https\_priority) | Defines the priority for the HTTP to HTTPS redirection rule | `number` | `1` | no | +| [loadbalancer\_redirect\_http\_to\_https\_status\_code](#input\_loadbalancer\_redirect\_http\_to\_https\_status\_code) | The redirect status code | `string` | `"HTTP_301"` | no | | [loadbalancer\_security\_groups](#input\_loadbalancer\_security\_groups) | Load balancer security groups | `list(string)` | `[]` | no | | [loadbalancer\_ssl\_policy](#input\_loadbalancer\_ssl\_policy) | Specify a security policy to apply to the listener. This option is only applicable to environments with an application load balancer | `string` | `""` | no | | [loadbalancer\_subnets](#input\_loadbalancer\_subnets) | List of subnets to place Elastic Load Balancer | `list(string)` | `[]` | no | diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 920fc526..66d58c12 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -65,9 +65,10 @@ module "elastic_beanstalk_environment" { autoscale_upper_bound = var.autoscale_upper_bound autoscale_upper_increment = var.autoscale_upper_increment - vpc_id = module.vpc.vpc_id - loadbalancer_subnets = module.subnets.public_subnet_ids - application_subnets = module.subnets.private_subnet_ids + vpc_id = module.vpc.vpc_id + loadbalancer_subnets = module.subnets.public_subnet_ids + loadbalancer_redirect_http_to_https = true + application_subnets = module.subnets.private_subnet_ids allow_all_egress = true diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf index fc6bdc59..b79ce15e 100644 --- a/examples/complete/versions.tf +++ b/examples/complete/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.14.0" + required_version = ">= 0.15.0" required_providers { aws = { diff --git a/examples/nlb/versions.tf b/examples/nlb/versions.tf index fc6bdc59..b79ce15e 100644 --- a/examples/nlb/versions.tf +++ b/examples/nlb/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.14.0" + required_version = ">= 0.15.0" required_providers { aws = { diff --git a/examples/shared-alb/versions.tf b/examples/shared-alb/versions.tf index fc6bdc59..b79ce15e 100644 --- a/examples/shared-alb/versions.tf +++ b/examples/shared-alb/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.14.0" + required_version = ">= 0.15.0" required_providers { aws = { diff --git a/main.tf b/main.tf index 4935997e..6f39d728 100755 --- a/main.tf +++ b/main.tf @@ -1170,3 +1170,31 @@ module "dns_hostname" { context = module.this.context } + +data "aws_lb_listener" "http" { + count = local.enabled && var.loadbalancer_redirect_http_to_https ? 1 : 0 + load_balancer_arn = var.loadbalancer_is_shared ? var.shared_loadbalancer_arn : one(aws_elastic_beanstalk_environment.default.0.load_balancers) + port = var.application_port +} + +resource "aws_lb_listener_rule" "redirect_http_to_https" { + count = local.enabled && var.loadbalancer_redirect_http_to_https ? 1 : 0 + listener_arn = one(data.aws_lb_listener.http.*.arn) + priority = var.loadbalancer_redirect_http_to_https_priority + + condition { + path_pattern { + values = var.loadbalancer_redirect_http_to_https_path_pattern + } + } + + action { + type = "redirect" + redirect { + host = var.loadbalancer_redirect_http_to_https_host + port = var.loadbalancer_redirect_http_to_https_port + protocol = "HTTPS" + status_code = var.loadbalancer_redirect_http_to_https_status_code + } + } +} diff --git a/variables.tf b/variables.tf index 71b0b5a9..3129b99f 100755 --- a/variables.tf +++ b/variables.tf @@ -569,3 +569,44 @@ variable "enable_capacity_rebalancing" { default = false description = "Specifies whether to enable the Capacity Rebalancing feature for Spot Instances in your Auto Scaling Group" } + +variable "loadbalancer_redirect_http_to_https" { + type = bool + default = false + description = "Redirect HTTP traffic to HTTPS listener" +} + +variable "loadbalancer_redirect_http_to_https_priority" { + type = number + default = 1 + description = "Defines the priority for the HTTP to HTTPS redirection rule" +} + +variable "loadbalancer_redirect_http_to_https_path_pattern" { + type = list(string) + default = ["*"] + description = "Defines the path pattern for the HTTP to HTTPS redirection rule" +} + +variable "loadbalancer_redirect_http_to_https_host" { + type = string + default = "#{host}" + description = "Defines the host for the HTTP to HTTPS redirection rule" +} + +variable "loadbalancer_redirect_http_to_https_port" { + type = string + default = "443" + description = "Defines the port for the HTTP to HTTPS redirection rule" +} + +variable "loadbalancer_redirect_http_to_https_status_code" { + type = string + default = "HTTP_301" + description = "The redirect status code" + + validation { + condition = contains(["HTTP_301", "HTTP_302"], var.loadbalancer_redirect_http_to_https_status_code) + error_message = "Allowed values are \"HTTP_301\" or \"HTTP_302\"." + } +} diff --git a/versions.tf b/versions.tf index fc6bdc59..b79ce15e 100644 --- a/versions.tf +++ b/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.14.0" + required_version = ">= 0.15.0" required_providers { aws = {
"*"
]